Scalpel: A Frugal, High Performance File Carver

Intro

To refresh your memory, many filesystems do not zero-out the data when they delete it. Instead, they simply remove the knowledge of where it is. File-carving is the process of reconstructing files by scanning the raw bytes of the disk and reassembling them. This is usually done by examining the header (first few bytes) and footer (last few bytes) of a file.

The benefit of using file-carving techniques over analyzing the filesystem’s index is that it’s possible the file was deleted from the filesystem’s index, the partition information may have been damaged, or you might not have a tool that can handle that filesystem type. File-carving programs circumvent these problems by not relying on the filesystem data. That strength is a weakness as well; if a file is fragmented in multiple areas of the disk, it is far more complicated for a file-carving program to extract it.

Scalpel

“Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files or data fragments from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, HFS+, or raw partitions. It is useful for both digital forensics investigation and file recovery.” (Source: http://www.digitalforensicssolutions.com/Scalpel)

Download and compilation

Scalpel is preinstalled on CERT Fedora. If you are using a different Linux distribution you can use the following directions to obtain Scalpel manually. You may also be able to install Scalpel automatically using a package manager such as “yum” or “apt-get”

You can download Scalpel from here: http://www.digitalforensicssolutions.com/Scalpel/

As of the time of writing this tutorial, the newest version available is 2.0

To extract it, from the directory containing the download, run:

$ tar -xf scalpel-2.0.tar.gz

Change to the directory:

$ cd scalpel-2.0

Then run

$ ./configure

and:

$ make

The compiled executable will be in src/scalpel .

Move it from there to the root directory, as we’ll need the configuration file as well $ mv src/scalpel scalpel

Operation

Now it’s time to go over the basic operation of scalpel. Scalpel uses a configuration file (‘scalpel.conf’ by default) that specifies what file formats we want Scalpel to look for. It lists the known patterns or file signatures in the headers and footers of different file formats. The default configuration file contains entries for many different file formats, each of which is commented out. You will need to either uncomment the formats you want to carve or create your own configuration file. (When running Scalpel use the “-c” option to specify your configuration file if you aren’t using the default.) If you use the default configuration file don’t just uncomment all the patterns. This will waste much time and result in a large number of false positives.

Each entry in the configuration file has the following structure:

<extension> <are the header and footer case sensitive?> <size [min:]max> <header> [footer]

For example:

jpg    y    5000:100000    \xff\xd8\xff\xe0\x00\x10    \xff\xd9

This would indicate to carve JPG images files between 5000 and 100000 bytes, with a file header starting with “\xff\xd8\xff\xe0\x00\x10” and a file footer ending with “\xff\xd9”. Note: the “\x” indicates that the values are specified in hexadecimal and is not part of the actual signature.

Another example of an entry is:

htm    n    50000   <html    </html>

This entry indicates to carve ‘htm’ files that start with ‘<html’ and end with ‘</html>’, (neither of which are case-sensitive,) that are between 0 and 50,000 bytes (~50KB). 

When executing Scalpel the format of the command is as follows:

$ scalpel <options> <image to analyze from>

As an typical example, if we wanted to carve files from “sampleImage” using the configuration file “myScalpel.conf” and saving the results to the directory “myScalpelOutput” (which must be empty or not exist) the command we would use would be:

$ scalpel -c myScalpel.conf –o myScalpelOutput sampleImage

Final Notes:

Because of the way scalpel extracts files based on the headers and footers, it’s possible to have many false positives. You’ll want to validate that the recovered files are truly valid.

In the resources section you will find a compressed disk image from a very small usb drive. The image is called "usbImageForScalpel". You will also find there a configuration file (called "myScalpel.conf") which contains two possible signatures for jpg files.  Use Scalpel to find the jpg files that were deleted from this disk. Answers can be found in the presentation slides and the video.

Further information on this module can be found at the following:

Below are copies of the Scalpel configuration file and (compressed) image analyzed in the slides and video for this module. They can be used to follow along with the presentation or for analysis on your own in the Sample Challenges section.

myScalpel.conf(92 bytes) marcbudofsky, Mar 17 2013, 9:42 PM
usbImageForScalpel.zip(289.08 KB) marcbudofsky, Mar 17 2013, 9:42 PM

You must Sign-In to post a comment.